As APRA accepts a Court Enforceable Undertaking (CEU) from ANZ, increasing ANZ’s capital overlay to $1bn, many in the industry are wondering how did it come to this? Carrying a capital overlay since 2019 and years on from the Hayne Royal Commission, following multiple regulatory interventions, multiple remediation programs, no doubt multiple millions of dollars, still it seems that ANZ has spectacularly failed to meet both the regulators’, and the public’s, expectations around non-financial risk management.
It would be easy to dismiss ANZ’s problems as unique to this division in this institution: a continuation of the toxic culture in the Global Markets division; as something particular to this model of financial services or something that can only beset one of the major banks. However, having worked with various large and small organisations, it is increasingly clear to us that many so-called risk uplift programs fail to demonstrate tangible and effective outcomes. But is it the case that like Tolstoy’s unhappy families, all risk uplift programs fail in their own way, while successful programs are all alike? Perhaps not identical, but we think there are a couple of key elements of an uplift program that are more likely to lead to success.
And although ANZ has its particular nuances, and Oliver Wyman’s (‘OW’) report into the culture and risk governance of the Global Markets division is somewhat anodyne, it nevertheless reveals some cautionary tales. And of course, ANZ is not the only organisation facing into these challenges as the chart below illustrates. We have taken data from APRA media releases to look at the length of time that various remediation plans are running for. So, what can we learn from ANZ, and what have we learned from our experience that really makes a program deliver?
Unequivocal leadership buy-in and relentless championing
A large loss, or a devastating regulatory action, is often sufficient to create the buy-in required of leaders. Where this is not the case, or where that is not a sufficiently powerful driver, leadership buy-in must be cultivated. Framing programs as an ‘uplift’ can also reinforce a narrative that this is a ‘nice to have’, or something that is just for the Risk team. Hardly motivational stuff: the message needs to be direct and clear that the current approach doesn’t cut the mustard. The fundamental need to shift an organisation has to hit the heart and the gut, as well as the head. We accept that change is hard, just ask anyone who has ever tried to start a new exercise habit. Without that compelling case for change, most interventions will only touch the sides and not the organisational system as a whole. This may require coaching and cultural interventions for the leadership team – even with the best intentions, shifting from a deeply embedded pattern to something new takes time and will, as well as skill.
OW reports that ANZ’s Global Markets senior leadership did not consistently ‘walk-the-walk’ with regarding staff conduct and risk management. In some instances, leadership ignored repeated reports of poor behaviour, failed to model positive risk attributes, and did not conform with group policies and procedures. It appears that the existing remediation programs did not have a meaningful impact on the division’s operational reality and therefore practices. In ANZ’s case, this was compounded by its federated model of operations – the targeted group-wide culture did not sufficiently penetrate the Global Markets division. However, here is a clear role for senior group leadership – understanding how change is penetrating through middle management and across a corporate structure is essential, particularly where there have been known problems in the past.
Leaders need to prioritise the change and clear the way for it to occur. But change takes time, and long after the initial enthusiasm fades, continues to require championing, narrative-building and ongoing reinforcement to effectively transmit and stick.
If both senior leadership and middle management are not bought in and are not continuing to lead change, questions must be considered: is the program misdirected, are the leaders the right leaders?
Alignment
Leadership role-modelling and messaging are critical, but in programs that work, these are carefully aligned with both formal and informal infrastructure and mechanisms, including policies, training and operational realities.
In the case of ANZ, it appears to OW, for example, that although policies were in place to prioritise positive risk behaviour in performance appraisals, this wasn’t always followed in practice with managers rewarding financial performance above all else. Risk incidents were only escalated to the Board if they had an actual financial impact – giving a clear message that financial performance was the main game. In addition, some of those who reported poor conduct were not guaranteed confidentiality, and some were reported to have faced retaliation.
ANZ more broadly has been distancing itself for years from the questionable behaviour in the Global Markets division. It’s the classic bad apple defence, and while it might be good for preserving reputation and minimising regulatory consequences, it’s a poor strategy for meaningful and long-term change. As Mark Carney once said of repeated financial sector scandals, “the issue is with the barrels in which they are stored.” Institutions need to recognise that these organisational conditions cause or enable so called bad apples to flourish, and act accordingly. If incentives remain in place – be they financial or behavioural – that make the old way of doing things easier or more rewarding than the target state, then no amount of leadership will make a risk uplift stick.
Ownership of risk and change
As risk management expectations have expanded, and as the 3LoD model has gained prominence, there has been a tendency to add risk expertise at what is sometimes called ‘Line 1.5’ – embedded risk professionals to support the business to manage risks. While the driver for this is typically framed as expertise, quite often it is for risk administration (read, bureaucracy). This can, as is highlighted in the report, create a situation where the actual frontline staff do not take adequate responsibility for risk, or remediation. The lack of responsibility that Line 1 took/had in the ANZ case is cited by OW as one of the drivers of the failure of the division to improve following multiple remediations.
In more successful uplifts, the program is targeted to the business and end user. Individuals respond differently to the same expectations, which makes strong leadership and varying interventions essential. In addition, the program team does not become a behemoth that is stood up for a short time to ‘get the job done’ but rather facilitates the integration of the remediation throughout the organisation, understanding that the process will not be linear and there will be a need to adjust and adapt.
Seeking (and measuring) outcomes
It seems like a wasted opportunity, but too often we have seen risk ‘uplift’ programs that are primarily intended to satisfy the regulator or demonstrate some kind of action has been taken. A team of risk managers diligently create plans to design-implement-embed and a team of change managers are tasked with communicating and transmitting the uplift. Without a clear understanding of the target state, it is possible to tick off the boxes, but not to really understand whether improvements have been made as measured by effectiveness. In our view, if you are going to invest so much time, energy and money, it is worthwhile doing something that actually works for the business, not just for the regulator. The more successful programs have clarity of purpose and direction and tangible effectiveness measures. The leaders know what good looks like and (as discussed above) drive the organisation to get there and can meaningfully quantify the upside.
Really understanding and addressing root cause
From the OW report, it is apparent that the Global Markets division only performed shallow analyses of incidents, failing to connect dots and identify thematic/systemic issues, and even lessons learned were not adequately followed up. Ironically enough, although a lack of root cause analysis is called out as one of the issues in the Global Markets division, we wonder whether root cause has been truly identified: a condition of the ANZ CEU is that ANZ appoint an independent reviewer to perform a group wide review of root causes and behavioural drivers of the persistent weaknesses in non-financial risk management.
Why did the cultural gap persist? Why did these remediation programs fail to take hold? Why were the managers not setting a good example? Understanding these kinds of questions and more is essential to shifting the deep foundational underpinnings of culture and behaviour.
Proactive action
Finally, although measuring preventative measures is notoriously challenging, a program that enables an organisation to avoid or pre-empt a major incident is a success in our view. In some cases, we think organisations are making a fundamental error in their cost-benefit analysis – where perhaps regulatory risk is considered just a cost of doing business, or where insufficient weight is given to the consequences of a failure; which is certainly not a burning platform from which to drive transformative change. Regulatory expectations are high, and directors and executives should be asking what do we need to do now, to ensure that we aren’t in this kind of situation in the future. The best risk uplift isn’t driven by a regulator, or a public reckoning; it is proactive and tailored to the organisation. While the major banks may have extra capacity – financial and human – for repeated risk uplift programs, smaller entities need to get it right the first time. Those organisations that embrace the regulatory guidance as an opportunity, rather than seeing new requirements such as CPS 230 and FAR as another regulatory burden, instead use them as they were intended, to shift the needle on risk management – are likely to benefit more broadly.
And a final note: The failings at ANZ have continued and compounded on APRA’s watch. Expect the regulators to learn from this too, to be thinking deeply about what preventing matters that would ‘adversely affect the prudential standing’ means under FAR. We also expect heightened expectations and supervision when it comes to risk remediation and transformation programs.
Rhizome can help. We work with firms across the financial sector to understand, prepare for, and manage risks across a number of domains.
Please reach out to us for more information.
This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Rhizome Advisory Group Pty Ltd shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss of damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).